The Android Trojan That Hijacks the Play Store Itself

A new and rapidly growing threat is targeting Android users across Europe, North Africa, and Latin America: the PlayPraetor malware. This Android remote access trojan (RAT), operated by threat actors using Chinese-controlled infrastructure, has infected more than 11,000 devices through a combination of phishing messages and deceptive advertisements delivered via Meta platforms. PlayPraetor is part of a larger malware-as-a-service (MaaS) operation that has shifted its focus toward Spanish, French, Portuguese, and Arabic speakers. What sets this malware apart is its abuse of Android’s accessibility services to gain real-time control over devices, display fake banking login screens, and steal credentials directly from user interactions. Unlike earlier Android threats limited to overlay attacks, PlayPraetor’s ecosystem supports remote livestreaming, persistent surveillance, and a growing modular infrastructure that evolves quickly through affiliate operators.

Multilingual Trojan Campaigns: The New Victim Base

The PlayPraetor campaign is not indiscriminate. It strategically targets mobile users in specific regions—namely Portugal, Spain, France, Morocco, and Peru—via tailored messages and advertisements. These victims are not high-profile government or corporate targets, but ordinary mobile users, often with limited technical defenses. Many are lured through SMS phishing messages or Meta Ads into installing what appear to be legitimate applications from lookalike Google Play pages. Once the malicious APK is downloaded and installed, the device becomes fully compromised.

The malware’s multilingual focus highlights a deliberate pivot in its operator strategy. Cleafy researchers observed that the botnet’s growth—over 2,000 new infections per week—is largely driven by campaigns aimed at Spanish and French-speaking users, expanding beyond the usual targets of previous RAT campaigns. Particularly affected are users who frequently use mobile banking or cryptocurrency apps, as the malware specializes in spoofing login pages for nearly 200 such platforms. The Phantom variant of PlayPraetor, operated by two principal affiliates, controls over 4,500 compromised devices and appears to prioritize Portuguese-speaking users. These individuals often remain unaware their device is compromised, as the malware enables real-time surveillance, video streaming of screen activity, and automated fraudulent actions—all while bypassing detection.

Fake Meta Soldiers: How the Malware Breaches and Operates

PlayPraetor’s infection chain begins with phishing SMS messages or Meta Ads linking to fake Google Play Store pages. These domains are crafted to mimic the official Play Store with near-perfect visual fidelity. Victims download malicious APKs hosted on these pages, which then install one of five known PlayPraetor variants: Progressive Web App (PWA) clones, WebView-based phishing apps, accessibility-exploiting modules, counterfeit e-commerce apps, and full-featured RAT components like EagleSpy or SpyNote.

Once installed, PlayPraetor abuses accessibility services to gain full control of the device. It can overlay login pages on banking and crypto apps, log keystrokes, access the clipboard, and capture screen contents. Furthermore, it sets up connections to a command-and-control (C2) panel using WebSocket and Real-Time Messaging Protocol (RTMP), enabling operators to issue real-time commands and even initiate livestreaming of the infected screen.

The C2 panel not only manages infected devices but also allows operators to build customized malware delivery sites. This infrastructure enables widespread campaign scalability and reusability across multiple language groups and affiliate partners. As a result, attribution becomes challenging, with multiple campaigns stemming from the same malware infrastructure yet run by different actors across various regions.

Be a gladiator, spot the trojan

Given the scale and sophistication of PlayPraetor’s operation, particularly its use of deceptive delivery methods and accessibility abuse, users and organizations must adopt a multi-layered defense strategy. The following measures can help mitigate the risk:

• Only download applications from the official Google Play Store, and avoid installing APKs from third-party links or unverified websites.

• Regularly review installed applications and remove any unknown or suspicious apps immediately.

• Disable unused accessibility services on Android devices, especially for applications that do not require such permissions to function.

• Use mobile threat defense tools capable of detecting RAT behavior, overlay attacks, and C2 communication patterns.

• Educate users—especially those in regions targeted by the malware—on how to recognize phishing SMS, fraudulent advertisements, and suspicious app behavior.

• Monitor network traffic for connections to suspicious or previously flagged C2 infrastructure, including WebSocket and RTMP activity.

• Keep Android OS and security patches up to date to reduce exposure to known exploits and malware installation methods.

• Encourage app developers to implement security mechanisms that detect overlays or anomalous accessibility service usage targeting their apps.

PlayPraetor is not a relic of the past but a current and evolving threat, actively spreading through deceptive social engineering campaigns and capable of deeply embedding itself in a victim’s device. As the malware-as-a-service landscape continues to mature, campaigns like these will only grow more advanced and harder to detect. The key to defending against them lies in user education, proactive mobile security, and swift identification of new attack patterns.

https://thehackernews.com/2025/08/playpraetor-android-trojan-infects.html?m=1